DEV380DEV380用用 VS2005VS2005轻轻松松开发安全应轻轻松松开发安全应用用

蔺华蔺华ISVISV 开发合作经理开发合作经理DPEDPEMicrosoft CorporationMicrosoft Corporation

您最担心的安全问题是什么您最担心的安全问题是什么 ??

#1 回答“提高代码安全性的软件工具”

关于开发人员安全性的一些数据关于开发人员安全性的一些数据

““75 percent of hacks happen at the application” - 75 percent of hacks happen at the application” - Gartner “Security at the Gartner “Security at the Application Level”Application Level”

"The conclusion is unavoidable: any notion that security is a matter of simply "The conclusion is unavoidable: any notion that security is a matter of simply protecting the network perimeter is hopelessly out of date” - protecting the network perimeter is hopelessly out of date” - IDC and IDC and Symantec, 2004Symantec, 2004

““11 of CERT’s 13 major security advisories for 2003 are bugs arising from 11 of CERT’s 13 major security advisories for 2003 are bugs arising from programming errors in applications [not the OS]” - programming errors in applications [not the OS]” - Carnegie Mellon Carnegie Mellon UniversityUniversity

““If only 50 percent of software vulnerabilities were removed prior to If only 50 percent of software vulnerabilities were removed prior to production … costs would be reduced by 75 percent” production … costs would be reduced by 75 percent” - - Gartner “Security at Gartner “Security at the Application Level”the Application Level”

““The battle between hackers and security professionals has moved from the The battle between hackers and security professionals has moved from the network layer to the Web applications themselves"network layer to the Web applications themselves" - - Network WorldNetwork World

““64 percent of developers are not confident in their ability to write secure 64 percent of developers are not confident in their ability to write secure applications” - applications” - Microsoft Developer ResearchMicrosoft Developer Research

// Example #1#define MAX (50)char szDest[MAX];strncpy(szDest,pszSrc,strlen(pszSrc));

Wrong buffer size!

Wrote NULL to element51, not 50!

// Example #2#define MAX (50)char szDest[MAX];strncpy(szDest,pszSrc,MAX);pszDest[MAX] = '\0';

SQL Injection!

// Example #3string strQry = "SELECT Count(*) FROM Users WHERE UserName='" + txtUser.Text + "' AND Password='" + txtPassword.Text + "'";

Or 1=1 --

True

SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password=''SELECT Count(*) FROM Users WHERE UserName='' Or 1=1

Hard to guess password!

Connecting as sysadmin

String concatfor dynamic SQL

Telling the bad guytoo much on failure

Create Project PoliciesCreate Project Policies

Create Policies around testing Create Policies around testing using VSTSusing VSTS

SCC Policy EngineSCC Policy EngineSCC Policy EngineSCC Policy Engine

Unit

Test

ing

U

nit

Test

ing

U

nit

Test

ing

U

nit

Test

ing

WI A

ssoci

ati

on

WI A

ssoci

ati

on

WI A

ssoci

ati

on

WI A

ssoci

ati

on

Sta

tic

An

aly

sis

Sta

tic

An

aly

sis

Sta

tic

An

aly

sis

Sta

tic

An

aly

sis

Rele

ase

Note

sR

ele

ase

Note

sR

ele

ase

Note

sR

ele

ase

Note

s

Cust

om

Polic

yC

ust

om

Polic

yC

ust

om

Polic

yC

ust

om

Polic

yPolicy Policy DefinitionsDefinitions•.NET Assemblies.NET Assemblies•Return Pass or Return Pass or Fail and messageFail and message•Customer Customer ExtensibleExtensible•User Over-ridableUser Over-ridable

““I have a complex application.

I have a complex application. Why is there no tool that helps

Why is there no tool that helps me find out the minimum

me find out the minimum security requirements of my

security requirements of my application?”application?”

“’“’I’d like to write applications

I’d like to write applications that do not require full trust,

that do not require full trust, but there is no easy way to test

but there is no easy way to test and debug applications like

and debug applications like this.”this.”

Listening to our Customers

Permission CalculatorPermission CalculatorChecks the security requirements of an applicationChecks the security requirements of an applicationStatically checks for called APIsStatically checks for called APIs

For each library API a permission set is returnedFor each library API a permission set is returned

Outputs estimate of minimum set of permissions Outputs estimate of minimum set of permissions required to run applicationrequired to run application

ApplicationAn entry point (Main, etc.)

Method A

Method B Method C

Method D

Method E

Method FDemand P1

Demand P2

Assert P1

Required permissions:

P2

Writing Partial Trust ApplicationsWriting Partial Trust Applications

Develop and Debug logged in as Least Develop and Debug logged in as Least PrivilegePrivilege

If a developer wants to write a least If a developer wants to write a least privilege application, she can log in as a privilege application, she can log in as a least privilege user herselfleast privilege user herself

Code Access Security Code Access Security Enables developers writing managed code Enables developers writing managed code to run the code in a sandbox using to run the code in a sandbox using custom privilegescustom privileges

IntelliSense in ZoneIntelliSense in Zone

Set a zoneSet a zoneGrays out items in the IntelliSense list that would cause an app Grays out items in the IntelliSense list that would cause an app to violate the security settingsto violate the security settingsAllows developers to catch security issues before they actually Allows developers to catch security issues before they actually write the codewrite the code

VB.NET My ClassesVB.NET My Classes

Exposes easy to use methods for many Exposes easy to use methods for many taskstasks

My.User.IsAuthenticated My.User.IsAuthenticated

My.User.CurrentPrincipal.IdentityMy.User.CurrentPrincipal.Identity

My.User.IsInRoleMy.User.IsInRole

My.User.NameMy.User.Name

Data Protection APIData Protection API

Built into .NET Framework 2.0Built into .NET Framework 2.0

Makes it easy to secure dataMakes it easy to secure data

Uses underlying features of Windows Uses underlying features of Windows 2000 and up2000 and up

ASP.NET Membership ServiceASP.NET Membership Service

Service for managing users and Service for managing users and credentialscredentials

Declarative access via Web Site Admin Declarative access via Web Site Admin ToolTool

Programmatic access via Membership and Programmatic access via Membership and MembershipUser classesMembershipUser classes

Membership class provides base Membership class provides base servicesservices

MembershipUser class represents MembershipUser class represents users and provides additional servicesusers and provides additional services

Provider-based for flexible data storageProvider-based for flexible data storage

ASP.NET Role Management ServiceASP.NET Role Management Service

Role-based security in a boxRole-based security in a boxDeclarative access via Web Site Admin Declarative access via Web Site Admin ToolTool

Programmatic access via Roles classProgrammatic access via Roles class

Roles class contains static methods for Roles class contains static methods for creating roles, adding users to roles, creating roles, adding users to roles, etc.etc.

Maps users to roles on each requestMaps users to roles on each requestReplaces Replaces Application_AuthenticateRequestApplication_AuthenticateRequest

Provider-based for flexible data storageProvider-based for flexible data storage

ASP.NET Configuration ClassASP.NET Configuration Class

Gateway to the configuration APIGateway to the configuration API

Provides merged view of configuration Provides merged view of configuration settings for machine or applicationsettings for machine or application

ConfigurationManager implementation ConfigurationManager implementation for combination Winform/Webform for combination Winform/Webform appsapps

ConfigurationManagerpart of ConfigurationManagerpart of System.ConfigurationSystem.Configuration

Can be used to automatically Can be used to automatically encrypt/decrypt sectionsencrypt/decrypt sections

Static Analysis ToolsStatic Analysis Tools

PREfastPREfastScans applications built in C/C++ for security Scans applications built in C/C++ for security vulnerabilitiesvulnerabilities

Examples:Examples:Buffer overrunsBuffer overrunsUn-initialized memoryUn-initialized memoryMemory leaksMemory leaks

FxCopFxCopScans managed code for 200 total defectsScans managed code for 200 total defects

ExamplesExamplesSQL injectionSQL injectionPermissionsPermissionsPointersPointers

Integrated Bug TrackingIntegrated Bug Tracking

Easy, Integrated into Easy, Integrated into development processdevelopment process

Design your own Design your own process – Fields, process – Fields, Forms, States, RulesForms, States, Rules

Extensive linking – Extensive linking – bugs, reports, artifactsbugs, reports, artifacts

NotificationsNotifications

C++ SafeCRT LibrariesC++ SafeCRT Libraries

Changes in C/C++ Libraries where specific Changes in C/C++ Libraries where specific functions were found to have unsafe functions were found to have unsafe designdesign

Example: Example: char * char * strcpy strcpy (char * dest, const (char * dest, const char * src)char * src)

Microsoft has deprecated these functionsMicrosoft has deprecated these functions

Compiler warnings when inherently Compiler warnings when inherently unsafe functions are usedunsafe functions are used

Code Coverage and Stress TestingCode Coverage and Stress Testing

Code CoverageCode CoverageCode coverage analysisCode coverage analysis

Enables development teams to know with Enables development teams to know with confidence how much and what parts of their confidence how much and what parts of their code is exercised by their testing, thus allowing code is exercised by their testing, thus allowing them to focus on the weak spots.them to focus on the weak spots.

Load/Stress TestingLoad/Stress TestingSome defects only manifest themselves when the Some defects only manifest themselves when the server is put under load or stress.  server is put under load or stress. 

Includes load/stress testing for your web Includes load/stress testing for your web applications.applications.

/GS Switch/GS Switch

/GS Switch/GS SwitchUsed to mitigate buffer overrun exploitsUsed to mitigate buffer overrun exploitsUsed to recompile Windows XPSP2 and Windows Server 2003Used to recompile Windows XPSP2 and Windows Server 2003Considerable enhancementsConsiderable enhancementsOn by defaultOn by default

EB

P

EIP ArgsOther vars Buffers

cookie

Higher addressesVC++ Stack

Application VerifierApplication Verifier

Application VerifierApplication VerifierFocuses on detecting the common issues Focuses on detecting the common issues that deal with application security and that deal with application security and quality such as:quality such as:

heap corruptionheap corruptionhandlehandlelockslocks

Results in:Results in:Better qualityBetter qualityIncreased securityIncreased securityReduced debugging timeReduced debugging time

Native codeNative code

Security Development LifecycleSecurity Development Lifecycle

*Steve Lipner and Michael Howard, Security Engineering Strategy, Microsoft

Inception-Security advisor assigned-Ensure security milestones understood-Identify security requirements

Design & Threat Modeling-Design guidelines documented-Threat models produced-Security architecture documented-Threat model and design review completed-Ship criteria agreed to

Guidelines & Best Practices-Coding and test standards followed-Test plans developed and executed (including fuzz testing)-Tools used (Code analysis)

Security Push-Threat models reviewed-Code reviewed-Attack testing-New threats evaluated-Security testing completed

Final Security Review (FSR)-Threat models reviewed-Unfixed bugs reviewed-New bugs reviewed (postmortem)-Penetration testing completed-Documentation archived

RTM & Deployment-Signoff by security team

Security Response Feedback-Tools/processes evaluated-Postmortems completed

http://msdn.microsoft.com/security/sdl

ConclusionConclusion

Security is a challengeSecurity is a challenge

People, Process, and People, Process, and ToolsTools

Visual Studio 2005 will Visual Studio 2005 will help you write more help you write more secure code with secure code with innovative tools and innovative tools and featuresfeatures

http://msdn.microsoft.com/security

Questions?